View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
10576 | Feature requests | Security | public | 2016-02-24 14:56 | 2021-03-08 19:45 |
Reporter | johntopley | Assigned To | c_schmitz | ||
Priority | normal | Severity | feature | ||
Status | closed | Resolution | won't fix | ||
Summary | 10576: Cross Frame Scripting Vulnerability | ||||
Description | Our LimeSurvey installation was recently penetration tested by a security consultancy. They identified that LimeSurvey has a vulnerability whereby it allows itself to be embedded within an iFrame on a web page controlled by a third-party. This would allow an attacker to capture keystrokes entered within LimeSurvey. | ||||
Additional Information | Open Web Application Security Project (OWASP): Cross Frame Scripting https://www.owasp.org/index.php/Cross_Frame_Scripting "Frame busting" techniques can be be employed by web applications to ensure they cannot be loaded within an iFrame. The current best practice is to use the following suggested JavaScript code:: <style type="text/css">html { display:none; }</style> | ||||
Tags | data integrity, data security | ||||
Attached Files | |||||
Bug heat | 254 | ||||
Story point estimate | |||||
Users affected % | |||||
Hi, We have a lot of user who want LimeSurvey in iframe .... And actually : this user must deactivate CRSFcontrol to allow it. |
|
Hi, Is that the "enableCsrfValidation" setting as documented here: https://manual.limesurvey.org/Optional_settings#Request_settings |
|
Yes, But for the issue : can you reproduce with an iframe on demo.limesurvey.org for exempe ? The top can not read iframe if it's not same domain except server admin fix the Same-origin policy OK : IE bug ..... (version ?) Actually : The user can use iframe and no problem. A LOT of user want this ... then i don't want it's in core. |
|
The attached file is a screenshot taken from the penetration testing report that shows our LimeSurvey instance embedded in an iFrame. Our LimeSurvey has 'enableCsrfValidation'=>true in application/config/internal.php. Is this the expected behaviour? |
|
OK, embedded in a iframe : but did you try to enter the survey ? |
|
Your mind on this ? |
|
Reassign it to you Carste; think it's not a sccurity issue. Browser must do the job Same-origin policy. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2016-02-24 14:56 | johntopley | New Issue | |
2016-02-24 14:56 | johntopley | Tag Attached: data integrity | |
2016-02-24 14:56 | johntopley | Tag Attached: data security | |
2016-02-25 08:38 | DenisChenu | Note Added: 35679 | |
2016-02-25 10:17 | johntopley | Note Added: 35686 | |
2016-02-25 10:31 | DenisChenu | Note Added: 35689 | |
2016-02-25 10:33 | DenisChenu | Note Edited: 35689 | |
2016-03-02 09:48 | johntopley | File Added: 10576.png | |
2016-03-02 09:51 | johntopley | Note Added: 35833 | |
2016-03-02 10:00 | DenisChenu | Note Added: 35834 | |
2016-03-02 10:00 | DenisChenu | Note Added: 35835 | |
2016-03-02 10:00 | DenisChenu | Assigned To | => c_schmitz |
2016-03-02 10:00 | DenisChenu | Status | new => feedback |
2016-03-02 10:00 | DenisChenu | Assigned To | c_schmitz => |
2016-03-03 15:12 | DenisChenu | Assigned To | => c_schmitz |
2016-03-03 15:12 | DenisChenu | Status | feedback => assigned |
2016-03-03 15:13 | DenisChenu | Note Added: 35880 | |
2020-10-26 16:43 | DenisChenu | Note Added: 60415 | |
2021-03-08 19:45 | c_schmitz | Status | assigned => closed |
2021-03-08 19:45 | c_schmitz | Resolution | open => won't fix |